Manual Chapter : Managing BIG-IQ Fraud Protection Service

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Managing BIG-IQ Fraud Protection Service

Fraud Protection Service overview

BIG-IQ® Fraud Protection Service (FPS) sends alerts to users whenever they are victims of malware or phishing attacks. BIG-IQ filters all alerts into different types and displays them for you to monitor. FPS has the ability to create rules to modify alerts, rules for forwarding alerts, or download rules from the Security Operations Center (SOC). Types of alerts include:
Uninspected Alerts
This list contains all alert types that have a status of new.
Monitored Alerts
This list contains all monitored alert types.
If you have configured fraud protection accounts, then you can view only the alerts that have been specified for your account to view.
Phishing Alerts
Phishing alerts include phishing user, copied pages, and user defined phishing. These alerts are created when a phishing victim enters user credentials onto a phishing web site, or when a phishing site has been detected by JavaScript. The user name that appears in the alert is the user name that is entered into the phishing site.
Malware Alerts
Malware alerts are separated into generic malware, targeted malware, external scripts, page modification, and user defined malware. The Malware Detection component thus enables the organization to take the necessary steps to mitigate the risks of the attack in real time. This component helps the organization to keep track of its affected users and reveal malicious money transaction attempts.
Suspicious Transactions
Suspicious Transactions include browser automation, remote access tools, transaction modification, and user defined. Suspicious transactions prevent automatic requests to the application's server by confirming that the request was made by a human and not issued automatically. Automatic requests can be issued by a Trojan attack injecting a malicious JavaScript code to the user's browser in order to perform an automatic money transfer to the attacker's account, or by random bots attempting to automatically scrape data from the application automation.
Suspicious Logins
Suspicious logins include stolen credentials and user inspection. These alerts provide protection against Trojan attacks, providing an encryption for the information at the application layer on the client side. This ensures that the information that is exposed to the Trojan attack will be encrypted. The encryption is conducted on the client side, using a public key generated by the web server and provided uniquely per session. When the encrypted information is received by the web server, it is decrypted using a private key that is kept on the server side.
Mobile
Mobile alerts integrate with the applications of financial service providers, improving protection against the aforementioned threats and provides alerts received on possible attacks. Mobile alerts neutralizes local threats found on customers’ mobile devices, without altering the user experience. These alerts are created when the system detects an infected mobile device. Alert types that are included in this category are Mobile Malware, Mobile Man-in-the-middle (MITM), Mobile Security, and User Defined. Prevents phishing, Trojan attacks, and pharming attacks on mobile devices in real time, through detection, prevention, and application-level encryption.
Validation Errors
Validation error alerts are created when the expected cookie is missing or corrupted. Validation errors include transaction errors, encryption errors, missing components, and mobile errors.
Unfiltered Alerts
Unfiltered alerts are unfiltered views of all alerts except those that have the status of Ignore.
Saved Filters
Saved filters is a list of custom filters that you create and save. These are unique to each user. Saved filters are helpful if you would like to create your own view of alerts. If you are trying to track down a specific type of attack, you can save a unique filter to repeatedly check on a specific type of alert. The BIG-IQ® Fraud Protection Service provides a rich set of querying features which allow you to quickly and efficiently locate alerts that you are interested in.

FPS Alerts overview

There are a number of things you can do to specify the response to different kinds of alert types.
Each alert type has its own user interface, but the controls used to edit the rules that govern the response to these alerts are very similar.
Most alert types are organized into groups. On any list screen, you can click the little black triangle to expand the list.
  • To access the Filter Alerts screen, click the
    Filter
    button at the top left of the screen. On the Filter Alerts screen you can view the existing query that defines the current alert rule. You can specify additional detail to further refine the query or create a new custom query.
  • To refresh the list of alerts on the screen, click
    Refresh
    .
  • To create a rule based on an alert, select the check box of the alert you want to use as the basis for the rule, and click
    Create Rule
    .
  • To filter the list of alerts so that only alerts generated during one session are displayed, select the check box of the alert you are interested in, and click
    Filter Related
    .
  • To export one or more alerts files to a CSV file that you can edit or inspect, click
    More
    , and then select
    Export
    .
  • To change the status for an alert, select the check box for that alert, click
    More
    , and then select
    Change Status
    .
    If all the check boxes are selected in a list, you can choose to either change the status for all of the alerts that are in view, or change the status for all of the alerts that match the query.
  • To remove an alert, select the check box for that alert, click
    More
    , and then select
    Delete
    .
    If all the check boxes are selected in a list, you can choose to either remove all of the alerts that are in view, or remove all of the alerts that match the query.
When you select a single alert, two changes take place:
  • A
    Filter Related
    button becomes active. Click this button to view only alerts that have the same session global unique identifier (GUID) as the selected alert.
  • A preview pane opens to show you details about the selected alert.
To use the Filter field in the right corner:
  1. From the
    Filter
    control, select the type of match (
    Contains
    , or
    Exact
    ) that you want to use.
  2. In the
    Filter
    field, type the filter criteria you want to use, and press Enter.
  3. A
    Filtered by
    field displays the alert criteria you applied, and the screen displays only alerts that match that criteria.
  4. To see the rest of the alerts again, click the
    X
    to clear your filtered by alert criteria.
To display additional information about a specific alert, select the check box that corresponds to it. A preview pane opens.
When you select a single alert, a preview pane opens to show you details about the selected alert. The tabs that display depend on what data is available for the selected alert.
Details
This tab displays details about the URL that triggered the alert.
  • Alert URL
    : The URL of the site that was in use when the alert was sent.
  • Alert Status
    : The current status of the alert.
  • Alert Severity
    : The severity of the alert. By default, new alerts have a 50% severity, unless the alert matches an existing rule.
  • Referrer
    : The URL of the site that was visited just before the Alert URL was visited.
  • User Agent
    : User browser type and operating system.
  • Language
    : User browser and operating system language.
  • Domain
    : The name of the domain that triggered the alert.
  • User
    : The name of the dashboard user who performed an action that triggered the alert.
  • Alert Details
    : The display varies depending on the type of alert.
  • Device ID
    : The ID of the device that triggered the alert.
  • Matched URL
    : The portion of the URL that matched and triggered the alert.
HTML
This tab is visible only if the alert includes these details. It shows you the raw HTML that was included in the alert.
Data
This tab is visible only if the alert includes these details. It shows you the raw HTML and other data that was extracted for further diagnosis of the alert condition.
If the alert type is External Sources or Trojan Validator, this tab displays the malware detection alerts.
If the alert type is External Sources, the alert type is 6 and the alert component is 5 and the value contains the forbidden added HTML element and its contents in escaped base64 format.
If the alert type is Trojan Validator, the alert type is 6 and the alert component is 3. The value contains the bait signatures in escaped base64 format.
About
This tab gives a brief summary of details about the alert type.
Advanced
This tab displays the exact query that was sent in the alert. This information can be used to debug alerts and understand the cause of the alert. It is helpful for the Security Operations Center (SOC).

Add an advanced query filter

Before you can perform this task, you must be logged in as Admin.
BIG-IQ Fraud Protection Service provides a rich set of querying features that allow you to quickly and efficiently locate the alerts that you are interested in.
When you select the
Filter
button from an alerts screen, or when you select add/edit from the Saved Filters screen, you see a dialog box that allows you to specify what alerts you want to filter for.
The screen provides the most common filters in list and text boxes, but you can specify additional filters. The filters that display initially depend on the type of alert you are configuring.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    , and then click
    Alerts
    .
  3. On the left, select the type of alert for which you want to specify advanced filter alerts.
    The Filter Alerts screen opens.
  4. To add filter details, click the
    Filter
    button.
    The Filter Alerts popup screen opens.
  5. Complete the Filter Alerts screen:
    1. For
      Filter Name
      , if you want to save this query for future use, type a name for this set of query details.
    2. For
      Category
      , select one or more categories to specify the type of alert.
    3. For
      Date
      , you can specify
      last 2 weeks
      ,
      last month
      ,
      last three months
      ,
      last six months
      , or select a custom date range. If you only specify a start date, BIG-IQ selects all alerts from the start date to the current date.
    4. For
      Alert Severity
      , type the minimum and maximum severity of the alerts that you want to match.
      If the maximum is not entered, the default is 100.
    5. For
      Status
      , if you choose one of the options, only alerts of that status are shown.
      If multiple status are needed, then specify them in the
      Additional Query Parameter
      field (near the bottom of the screen).
    6. For
      Location
      , select the geographic location on which you want to filter.
    7. For
      User
      , type the name of the user that triggered the alert.
      You can use a wildcard
      *
      . For example
      p*
      matches all users whose name starts with the letter P.
    8. For
      Domain
      , type the domain of the site that was in use when the alert was sent.
      You can use a wildcard
      *
      . For example
      p*
      matches all host domains whose name starts with the letter P.
      You can also type the domain of the phishing site or the host of the site that was detected.
    9. For
      Client IP
      , type the IP address of the victim of the alert in which you are interested.
    10. For
      Alert URL
      , type the source URL that caused the alert.
    11. For
      Guid
      , type the unique identifier for the set of alerts that make up one session.
      To find the guid, select the alert, and then click the
      Advanced
      tab. Under Query Parameters, look for
      fpm_guid
      .
    12. For
      Additional Query Parameters
      , if what you want cannot be specified with the quick selections, you can use the query language.
      The format for these query parameters is:
      key1: value1 key2: value2 (key3:value3 OR key4)
      .
      OR
      is implied if it is not supplied.
      The query string syntax is parsed into a series of terms and operators. A term can be a single word  or a phrase. Note that phrases must be surrounded by double quotes. In general the query string syntax observes the Lucene query  syntax. The following characters are reserved and cannot be used in a query:
      + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
      For example:
      (alertType:6 OR alertType:8) language:*us
      For a list of advanced query parameters refer to
      Advanced Query Parameter Syntax
      .
  6. Click
    Save
    .

Additional Query Parameters

If what you want can not be specified with the quick selections, you can use the query language. Available query parameters are listed here.
Parameter Name
What it means
category
The type of alert. Select one or more categories. If none are selected, the search will apply to all categories.
alertUrl
Type the source URL that caused the alert.
alertType
A specific type of alert within a category.
device
A specific variation within a type of alert.
component
A specific variation within a type of alert.
domain
Type the domain of the site that was in use when the alert was sent. You can also type the domain of the phishing site, or the host of the site that was detected.
clientIp
Type the IP address of the victim of the alert that you are interested in.
details
This parameter can contain many different values depending on the type of alert.
device
The device ID of the machine generating the alert (typically a mobile device).
alertId
A unique ID configured on the BIG-IP® device for each virtual IP address.
severity
Specifies the ID of the customer in the dashboard. When configuring a mobile security anti-fraud profile, you must ensure that the value you assign here for
Alert Identifier
is the same value used for VMobile's customer parameter in the init iOS method and Android constructor.
status
The status assigned by the SOC.
userAgent
The user browser type and operating system.
continent
The continent code.
country
The country code.
region
The region code.
language
User browser and OS language.
referer
The URL of the site that was visited just before the alert URL was visited.
uri
The URI to which the client requested to go.
user
Type the name of the user that triggered the alert.
guid
Type the unique identifier for the set of alerts that make up one session.
rule
As set by the user in the rule.
alertDetails
As set by the user in the rule.
recommendation
As set by the user in the rule.
date
You can specify
last 2 weeks
,
last month
,
last three months
,
last six months
or select a custom date range. If you only specify a start date, BIG-IQ® selects all alerts from the start date to the current date.
cookie
Cookie information associated with this alert.
dateType
Type the number of days back from which to start the query.

Create and save a custom filter

Before you can perform this task, you must be logged in as Admin.
You can create and save custom filters. This process is very similar to creating an advanced query filter, except you start with no default set of filters.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    , and then click
    Alerts
    .
  3. Click
    Saved Filters
    .
    The Saved Filters screen opens.
  4. Click
    Create
    to create a new filter.
    The New Saved Filter screen opens.
  5. In the
    Filter Name
    field, type a name for the alert filter.
  6. For
    Category
    , select the type of alert from the list.
  7. For the
    Date
    , select from the options in the list.
    The options are,
    Last 2 weeks
    ,
    Last month
    ,
    Last three months
    ,
    Last six months
    , or a
    Custom
    date range. If you only specify a start date, the system selects all alerts from the start date to the current date.
  8. For
    Alert Severity
    , select the severity level of the alert. The
    From
    and
    To
    fields include numbers ranging from 1 to 100.
  9. For
    Status
    , select the status from the list. You can pick one of the options, and only alerts of that status are shown. If you need more than one status, you can specify that in the
    Additional Query parameter
    field.
  10. For
    Location
    , select the location from the list.
  11. For
    User
    , type the user name.
  12. In the
    Domain
    field, type the domain.
    The system only matches on exact match, and is case sensitive.
  13. In the
    Client IP
    field, type the client IP address.
  14. In the
    Alert URL
    field, type the alert URL.
  15. In the
    Guid
    field, type the unique identifier.
  16. If what you want can’t be specified with the quick selections, you can use the query language in the
    Additional Query Parameter
    setting. or example:
    This is the format:
    key1: value1 key2: value2 (key3:value3 OR key4)
    . For example:
    (alertType:6 OR alertType:8) after Feb 02 2015 07:56:26 before Feb 10 2015 23:56:26 host:versafe.com alertId:ddd severityGE:2 severityLE:94 status:new rule:rule1
  17. Click
    Save & Close
You have now created and saved alert filters.

Change an alert status

Before you can perform this task, you must be logged in as Admin.
You can change the status of alerts in Fraud Protection Service. An alert status change is performed by an admin, security manager, or FPS manager to indicate that an alert has been inspected, and what the status of the alert is.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    , and then click
    Alerts
    .
  3. Click
    Unfiltered Alerts
    .
  4. Select the check box of the alert type for which you want to change the status.
  5. Click the
    More
    button, and then select
    Change Status
    .
  6. Under
    Select the new status to set on alerts
    , select the new status from the list.
    New
    The SOC team has not yet handled this item.
    Open
    The SOC team is currently handling this item.
    Handle
    The SOC team has finished handling this item.
    Monitor
    The SOC team has monitored this item.
    Close
    The SOC team has closed this item.
    Ignore
    The SOC team is familiar with the alert and has decided that it is not malicious (the alert is a false positive). Ignored alerts can be seen only when using filters.
    Official
    The SOC team has determined that this specific URL is legitimate.
  7. Click
    Change Selected
    .
    Changing alert statuses displays while your request is processes.
  8. Click
    Close
    when the alert status change completes.

Remove an alert

Before you can perform this task, you must be logged in as Admin.
You can delete the alerts that you have created in FPS.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    , and then click
    Alerts
    .
  3. On the left, select the alert type that you want to delete.
  4. Select the specific alert you want to delete, then click the
    More
    button, and select
    Remove
    .
    If the header check box is selected, when you click
    Remove
    you are prompted to select whether you want to remove all of the alerts that are currently selected (only 50 to 75 at a time are selected at a time due to memory constraints), or all the alerts that match the query.
The specified alerts are deleted.

Export an alert

Before you can perform this task, you must be logged in as Admin.
You can export the alerts that you have created in FPS.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    , and then click
    Alerts
    .
  3. On the left, select the alert type that you want to export.
  4. Select the alert you wish to export, then click the
    More
    button, and select
    Export
    .
The specified alerts are exported to a
.csv
file in your Downloads folder.

Signature files overview

FPS malware signatures allow the BIG-IP® system to discover generic malware targeting web sites and mobile apps, and enhances protection of your anti-fraud profile. It is important to help keep the fraud protection on your system up to date by updating malware signatures with a signature file provided by F5.
Signature file updates can be downloaded from the F5 Update server or uploaded from a local server. The upload option is relevant in a case where F5 has provided you directly with a signature file update.
Signature file updates can be downloaded from the F5 update server either manually or automatically. If you choose the automatic download option, you can configure the time interval for the periodic updates.

Downloading a signature file from the F5 update server

This procedure requires at least one BIG-IP device with Fraud Protection Service discovered on your BIG-IQ system.
Download a malware signature file from the F5 update server to ensure that you have the most up-to-date protection of your anti-fraud profile on the BIG-IP system.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the SIGNATURE FILES menu, click
    Signature File List
    .
  4. Click
    Download
    .
    The Choose download and install option screen opens.
  5. Choose one of the following download options:
    • Download latest files
      : Choose this option to download the most up-to-date file but not install it at this time.
    • Download latest files and install on All devices:
      Choose this option to download the most up-to-date file and install it immediately after download on all BIG-IP devices in the cluster.
    • Download latest files and install on Active devices:
      Choose this option to download the most up-to-date file and install it immediately after download on the primary BIG-IP devices in the cluster.
  6. Click
    OK
    .
The most up-to-date signature file is downloaded to the BIG-IQ system and appears in the list in the Signature Files List screen. If you chose the download and install option, the file is pushed to the BIG-IP devices in the cluster and installed on them.
If you did not choose the download and install option, you need to manually install the updated signature file to complete the update of malware signatures on the BIG-IP system.
You can check the status of the download by going to
SECURITY
Threat Intelligence
Fraud Protection Service
Signature Files
Download Process
and clicking on the name of the signature file in the list. If you chose the download and install option, check the status at
SECURITY
Threat Intelligence
Fraud Protection Services
Signature Files
Download and Install
.

Uploading a signature file stored locally

This procedure requires at least one BIG-IP® device with Fraud Protection Service discovered on your BIG-IQ® system.
You can upload a locally stored malware signature file to the BIG-IQ system if you do not want to download the updated malware signature file from the F5 update server.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the SIGNATURE FILES menu, click
    Signature File List
    .
  4. Click
    Import
    .
    The Import FPS Signature File screen opens.
  5. Choose one of the following actions:
    • Click
      Choose File
      , and then perform the following steps:
      1. Navigate to the updated signature file.
      2. Click
        Open
        . The file name appears in the Import FPS Signature File screen.
      3. Click
        Import
        at the bottom of the Import FPS Signature File screen. The updated file now appears in the Signature Files list.
    • Drag and drop the updated signature file from its original location to the area labeled Drop Update File Here. After doing this, the Signature Files list appears, showing the updated file.
Manually install the updated signature file to finish updating malware signatures on the BIG-IP system.

Installing a signature file

Before you can install a signature update file, you must either download the file from the F5 update server or upload it locally.
Install a signature update file to one or more BIG-IP® devices to ensure that you have the most up-to-date protection of your anti-fraud profile on the BIG-IP system.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the SIGNATURE FILES menu, click
    Signature File List
    .
  4. In the Signature Files list, click the name of the signature file you want to install.
    The Properties screen for the signature file opens.
  5. For the
    Install to Devices
    setting, select the BIG-IP device(s) where you want to install the file.
  6. From the
    Install To
    list, choose whether to install the file on all BIG-IP devices in the cluster or on just the active (primary) devices in the cluster.
    Once a file is deployed to an active clustered BIG-IP device, a synchronization task will run on the BIG-IP device cluster.
  7. Click
    Install
    .
    The BIG-IQ system pushes the file to the BIG-IP devices that you selected and the file is installed on those devices.
You can check the status of the installation by going to
SECURITY
Threat Intelligence
Fraud Protection Services
Signature Files
Install Status
and clicking the name of the signature file in the list.

Scheduling automatic signature file updates

This procedure requires at least one BIG-IP® device with Fraud Protection Service discovered on your BIG-IQ® system.
Schedule automatic signature file updates to automate the process of downloading and installing updated malware signature files according to a specified time interval.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the SIGNATURE FILES menu, click
    Signature File List
    .
  4. Click
    Settings
    .
    The Settings screen opens.
  5. For
    Remote Updates
    , select the
    Enabled
    check box.
  6. For
    Interval
    , select a time interval for the automatic update.
    1. If you choose
      Custom
      , select a time interval from the Custom list.
  7. For
    Starting At
    , choose a date and time for when the automatic update should start.
  8. If you are using a proxy, select it from the
    Proxy
    list.
  9. From the
    Install To
    list, choose whether you want the automatic update to install the signature file on all BIG-IP devices in the cluster or on just the active (primary) devices in the cluster.
  10. Click
    Save & Close
    .
    The Signature Files list appears.
  11. Follow these steps for every BIG-IP device that you want to receive the automatic signature file update:
    1. Go to
      SECURITY
      Fraud Protection Services
      Devices
      .
    2. Click the device name in the Devices List.
      The device Properties screen opens.
    3. Under Signature File Version, select the
      Allow Automatic Install
      check box.
    4. Click
      Save & Close
      .
Automatic signature file updates are configured, and will begin on the start date that you selected.
You can check the status of the download and installation by going to
SECURITY
Threat Intelligence
Fraud Protection Service
Signature Files
Download and Install
and clicking the name of the signature file in the list.

Engine files overview

The FPS JavaScript Engine allows the BIG-IP® system to discover generic malware targeting web sites and mobile apps, and enhances protection of your anti-fraud profile. It is important to help keep the fraud protection on your system up to date by updating the engine with an engine file provided by F5.
Engine file updates can be downloaded from the F5 update server or uploaded from a local server. The upload option is relevant in a case where F5 has provided you directly with an engine file update.
Engine file updates can be downloaded from the F5 update server either manually or automatically. If you choose the automatic download option, you can configure the time interval for the periodic updates.
F5 recommends not using the automatic engine file update option, and to perform engine file updates manually.

Downloading an engine file from the F5 update server

This procedure requires at least one BIG-IP device with Fraud Protection Service discovered on your BIG-IQ system.
Download a JavaScript engine file from the F5 update server to ensure that you have the most up-to-date protection of your anti-fraud profile on the BIG-IP system.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the ENGINE FILES menu, click
    Engine File List
    .
  4. Click
    Download
    .
    The Choose download and install option screen opens.
  5. Choose one of the following download options:
    • Download latest files
      : Choose this option to download the most up-to-date file but not install it at this time.
    • Download latest files and install on All devices:
      Choose this option to download the most up-to-date file and install it immediately after download on all BIG-IP devices in the cluster.
    • Download latest files and install on Active devices:
      Choose this option to download the most up-to-date file and install it immediately after download on the primary BIG-IP devices in the cluster.
  6. Click
    OK
    .
The most up-to-date engine file is downloaded to the BIG-IQ system and appears in the list in the Engine Files List screen. If you chose the download and install option, the file is pushed to the BIG-IP devices in the cluster and installed on them.
If you did not choose the download and install option, you need to manually install the updated engine file to complete the update.
You can check the status of the download by going to
SECURITY
Threat Intelligence
Fraud Protection Services
Engine Files
Download Process
and clicking on the name of the engine file in the list. If you chose the download and install option, check the status at
SECURITY
Threat Intelligence
Fraud Protection Services
Engine Files
Download and Install
.

Uploading an engine file stored locally

This procedure requires at least one BIG-IP® device with Fraud Protection Service discovered on your BIG-IQ® system.
You can upload a locally stored JavaScript engine file to the BIG-IQ system if you do not want to download the updated engine file from the F5 update server.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the ENGINE FILES menu, click
    Engine File List
    .
  4. Click
    Import
    .
    The Import Engine File screen opens.
  5. Choose one of the following actions:
    • Click
      Choose File
      , and then perform the following steps:
      1. Navigate to the updated engine file.
      2. Click
        Open
        . The file name appears in the Import Engine File screen.
      3. Click
        Import
        at the bottom of the Import EngineFile screen. The updated file appears in the Engine Files list.
    • Drag and drop the updated engine file from its original location to the area labeled Drop Update File Here. The Engine Files list appears, showing the updated file.
Manually install the file to finish updating the JavaScript engine on the BIG-IP system.

Installing an engine file

Before you can install an engine file, you must either download the file from the F5 update server or upload it locally.
Install an engine update file to one or more BIG-IP® devices to ensure that you have the most up-to-date protection of your anti-fraud profile on the BIG-IP system.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  3. In the ENGINE FILES menu, click
    Engine File List
    .
  4. In the Engine Files list, click the name of the engine file you want to install.
    The Properties screen for the engine file opens.
  5. For the
    Install to Devices
    setting, select the BIG-IP device(s) where you want to install the file.
  6. From the
    Install To
    list, choose whether to install the file on all BIG-IP devices in the cluster or on just the active (primary) devices in the cluster.
    Once a file is deployed to an active clustered BIG-IP device, a synchronization task will run on the BIG-IP device cluster.
  7. Click
    Install
    .
    The BIG-IQ system pushes the file to the BIG-IP devices that you selected and the file is installed on those devices.
You can check the status of the installation by going to
SECURITY
Threat Intelligence
Fraud Protection Services
Engine Files
Install Status
and clicking the name of the engine file in the list.

Scheduling automatic engine file updates

This procedure requires at least one BIG-IP® device with Fraud Protection Service discovered on your BIG-IQ® system.
Schedule automatic engine file updates to automate the process of downloading and installing updated engine files according to a specified time interval.
F5 recommends not using the automatic engine file update option, and to perform engine file updates manually.
  1. On the left, click
    SECURITY
    Threat Intelligence
    Fraud Protection Service
    .
    The SIGNATURE FILES and ENGINE FILES menus appear.
  2. In the ENGINE FILES menu, click
    Engine File List
    .
  3. Click
    Settings
    .
    The Settings screen opens.
  4. For
    Remote Updates
    , select the
    Enabled
    check box.
  5. For
    Interval
    , select a time interval for the automatic update.
    1. If you choose
      Custom
      , select a time interval from the Custom list.
  6. For
    Starting At
    , choose a date and time for when the automatic update should start.
  7. If you are using a proxy, select it from the
    Proxy
    list.
  8. From the
    Install To
    list, choose whether you want the automatic update to install the engine file on all BIG-IP devices in the cluster or on just the active (primary) devices in the cluster.
  9. Click
    Save & Close
    .
    The Engine Files list appears.
  10. Follow these steps for every BIG-IP device that you want to receive the automatic engine file update:
    1. Go to
      SECURITY
      Fraud Protection Services
      Devices
      .
    2. Click the device name in the Devices List.
      The Device Properties screen opens.
    3. Under Engine File Version, select the
      Allow Automatic Install
      check box.
    4. Click
      Save & Close
      .
Automatic engine file updates are configured, and will begin on the start date that you selected.
You can check the status of the download and installation by going to
SECURITY
Threat Intelligence
Fraud Protection Services
Engine Files
Download and Install
and clicking the name of the engine file in the list.